-
Type:
Bug
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.1.0, 3.2.1
-
Fix Version/s: 3.3.0
-
Labels:
-
Story Points:0.5
-
Sprint:Sprint 89
If a user has read privileges to a npm group, but not the underlying npm proxy, then the "npm install <package>" will get a 500 response for any package that is not locally cached in the npm proxy.
Steps to reproduce:
1) Setup a npm group npm-all that has npm proxy npmjs as a member
2) Setup a user that has access to group repo npm-all (privilege nx-repository-view-npm-npm-all).
3) Try to install a npm package that is not locally cached in proxy npmjs
The npm install command will fail with something like the following:
npm http fetch GET http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz npm http fetch 500 http://localhost:8081/repository/npm-all/glob/-/glob-7.1.1.tgz npm info retry will retry, error on last attempt: Error: server error 500
Nexus logs will show the following:
2016-12-21 11:21:38,899+0000 WARN [qtp1898010376-415] test org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Service failure java.lang.RuntimeException: java.io.IOException: org.apache.shiro.authz.AuthorizationException at com.google.common.base.Throwables.propagate(Throwables.java:160) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:142) [na:na] at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.fetch(ProxyFacetSupport.java:210) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.fetch(NpmProxyFacetImpl.java:62) [na:na] at org.sonatype.nexus.repository.proxy.ProxyFacetSupport.get(ProxyFacetSupport.java:166) [na:na] at org.sonatype.nexus.repository.proxy.ProxyHandler.handle(ProxyHandler.java:49) [na:na] at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na] at org.sonatype.nexus.repository.storage.UnitOfWorkHandler.handle(UnitOfWorkHandler.java:39) [na:na] at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na] at org.sonatype.nexus.repository.view.Context$proceed.call(Unknown Source) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyRecipe$_closure1.doCall(NpmProxyRecipe.groovy:160) [na:na] ... ... Caused by: java.io.IOException: org.apache.shiro.authz.AuthorizationException at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:347) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageVersion(NpmProxyFacetImpl.java:299) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.getUrl(NpmProxyFacetImpl.java:138) [na:na] ... 131 common frames omitted Caused by: org.apache.shiro.authz.AuthorizationException: null at org.sonatype.nexus.repository.security.SecurityFacetSupport.ensurePermitted(SecurityFacetSupport.java:72) [na:na] at org.sonatype.nexus.repository.security.SecurityHandler.handle(SecurityHandler.java:48) [na:na] at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na] at org.sonatype.nexus.repository.view.handlers.TimingHandler.handle(TimingHandler.java:46) [na:na] at org.sonatype.nexus.repository.view.Context.proceed(Context.java:80) [na:na] at org.sonatype.nexus.repository.view.Context.start(Context.java:114) [na:na] at org.sonatype.nexus.repository.view.Router.dispatch(Router.java:60) [na:na] at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:52) [na:na] at org.sonatype.nexus.repository.view.ConfigurableViewFacet.dispatch(ConfigurableViewFacet.java:43) [na:na] at com.sonatype.nexus.repository.npm.internal.NpmProxyFacetImpl.retrievePackageRoot(NpmProxyFacetImpl.java:336) [na:na] ... 133 common frames omitted
Workaround If you give that user a read privilege to the proxy npmjs (nx-repository-view-npm-npmjs-read) then the user should be able to install the package that is not already cached.
Group level permissions should be transitive, therefore use has the same privileges for all member repositories.
- is related to
-
NEXUS-12073 Pulling from Docker group generates error unless read access assigned directly to member
-
- Closed
-
-
NEXUS-16077 pip search on group requires read privilege on member repositories
-
- Closed
-
- testing discovered
-
NEXUS-12452 bower install fails when user has only group level privileges
-
- Closed
-